MSc Cyber Security
Facilitator Guide: Secure Software Development
Introduction
This guide provides:
1.
2.
3.
4.
The details of the scenario
Possible Learning issues
Possible solutions
Resources
How to use this scenario
The scenario can be used in several ways. Two proposed approaches are:
Scenario
You are a lead security consultant in a large telecommunications enterprise ‘Banana Mobile
International’, the enterprise has markets within the UK, Europe, America and the Far East, and
currently employs 120,000 employees globally. Your team has approximately 70 security
consultants globally, which is supported by additional security subject matter experts who
specialise in Cryptography, Security Engineering, Security Architecture and Governance and
Risk. The firm is organised into four main lines of business:




Retail in store
Telephone sales (customer services)
Wholesale
Digital (internet).
Supporting each line of business there are operational teams that cover the following areas:










Marketing and Branding
Accounts (customer billing)
Finance (accounts)
Legal
Fraud
Regulatory compliance
Business Information Systems (BIS)
Information Technology (IT Support)
Telecommunication Engineering
Information Security (the team you work in).
The firm currently has over 200 million customers who use the company mainly for the
provision of mobile phone handsets and their associated pay as you go and monthly contract
SIM card packages.
Recently the firm has recruited a new chief operating officer (Louise Pinstripe) who is in charge
of the strategic business operating model and product lines. Despite the firm’s relative success
within the traditional mobile telecommunications sector, they currently have 16% of global
market and require their share price to increase from 300p per share to 400p per share over
the next 3 years. Louise has been informed by her executive colleagues that they need to
increase their market share from 16% to 22% within the next 2 years in order to be on target.
1
Louise has therefore recently decided that the firm needs to embark on an ambitious
programme to expand its digital and wholesale channels. Her marketing department has
decided that the digital channel needs to include the following high-level customer services, so
that Banana Mobile can gain a competitive advantage and entice new customers:



Mobile applications to support customer account enquiry
Mobile applications to support product sales of products sold by the firm
Mobile applications to recruit and drive the firms brand into new markets, such as:
o Location services
o Payment services (peer to peer payments)
o Entertainment (music and video streaming services).
As is usual, Louise has delegated the programme of works to the Business Information Systems
team to operate the project management office (PMO) for the delivery of the project within
defined strategic phases.
The annual budget for the project is set at 50,000,000 GBP.
As one of the lead security consultants for the firm, it is your role to assist the programme
management in the identification of security tasks, general advice and guidance, standards
adherence (compliance with the firm’s security standards – which are based on the controls
ISO 27001:2013 Annex A controls), as well as appropriate risk identification and acceptance in
accordance with the firm’s Information Security Management System (ISMS) that is also based
upon ISO27001, but as yet is not fully audited to be compliant.
The project team that has been assembled includes the following people:






Business Analysts
Solution Architects
Infrastructure Architects
Software Developers
Test Teams
Representatives from key business teams (stakeholders):
o Marketing
o Fraud
o Legal
o Regulatory compliance
So far the programme has very little in terms of direction, however, Louise (who is from a
software development background) has stated that the firms usual method of software
development which is based on the Software/Systems Development Life Cycle (SDLC) is too
verbose and bureaucratic; consequently the programme has been charged with not only
developing and delivering the new products, but it has also being asked to develop a new
governance process that will allow the programme to meet its high-level business
requirements quickly and safely with minimal risk to the business.
The project management has decided that the first year of the programme will focus on the
following deliveries:




Quarter 1 – construct the new governance model
Quarter 2 – develop the designs for a new software product to be platformed on
Android, iOS, , Windows Mobile and Blackberry (RIM) operating systems
Quarter 3 – develop the customer support tools
Quarter 4 – launch the product to staff.
The second year will refocus the project on the release of the core mobile application to
customer base, ensuring that iterative software releases include new and exciting features that
realise Louise’s vision for the selling of location, payment and entertainment services.
The final steer from Louise, is that the customer registrations with the new mobile applications
must be as mobile as possible. Allowing customers to see an advert in the street and decide
2
there and then that they would like to be registered to participate in the service, and register
to receive services without the need to answer post delivered mailer responses.


The registration process must cater for existing customers of the firm; and
It must also be able to expand to extend to other customers of other mobile phone
company networks.
One month into the development programme at Banana Telecommunications Plc; it is widely
recognised that 3 years is actually a very tight timeline in which to deliver the programme, and
much emphasis has been made by the senior stakeholders within the business that the
programme must deliver prototypes and methodologies within the first year. The PMO, which
is panicked and is escalating all teams to mobilise dedicated resources, has therefore decided
that delivery milestones for software prototypes shall be based on a 30 day cycle.
They have a working prototype for a web service that will broker mobile client requests, and a
mobile application.
Your Task
Security is important to the telecommunications company as it does suffer from customer
fraud and has regulatory requirements to adhere to. Traditionally, the business has been
guided by the ISMS process that is closely aligned to the SDLC. And as such it is understood
that the security team are a key stakeholder by which the project must gain some buy-in
before any product line can be a success.
As such the project is looking to you to provide them with guidance on:




The customer registration process
The overall development of the products
The governance model
The risk management process.
Deliverables
1. Provide an executive summary that identifies the key risks involved in rapid
development life cycles, and prescribe methods for mitigating the risks (300 words)
2. Provide consultancy report that identifies the Information Security team’s preferred
method for software development, identify the phases for each delivery, and the tasks
that will be undertaken by the security team at each phase (1500 words)
3. Undertake a threat analysis against the proposed products, and identify controls that
would mitigate the threats (1500 words).
4. Identify a way in which the customer can register their mobile device with the service
securely to mitigate against the threat of malware and social engineering (1500
words).
3
Solutions
Executive summary task


Student identifies the differences (advantages and disadvantages) between rapid
development and traditional development life cycles.
Student identifies where security inspection (engagement) would normally be
undertaken, typical examples include:
o At initiation
o Requirements
o Design
o During development / testing
Consultancy report task (build upon first task)
Student describes a rapid development life cycle methodology, and key points where security
inspection should take place, good examples:




Initiation – high-level requirements for process / development life cycle – identifies the
need for formal sign-off of project deliverables by the security team (security as a
stakeholder)
Examining the proposition – perhaps reviewing storyboards and customer journeys
Development – code review
Testing – during the user acceptance testing (security personnel as users)
Threat Analysis
Student should research threat analysis techniques and tools (Microsoft have a tool for this
purpose) and identify threats:





First party fraudster (i.e. a customer)
Third party fraudster (someone who is aware of the real customer and takes over their
account)
Internal attacker
External hacker (reverse engineer perhaps)
Malware
Controls that could be used to defeat attacks:









Input validation
Code review / pentesting
Obfuscation and tamper proofing controls
Cryptography
ID&V (Identification & Verification)
Access controls
Device finger printing / profiling
Credit checks
Event logging and alerting
Customer ID&V
Student should make assumptions relating to what information will be available to support a
customer registration process (draw on knowledge they have about registration processes for
other applications and services).
Identify secrets that need to be processed or stored by the solution. Identify how the secrets
could be vulnerable (phishing, reverse engineering etc) – and identify ways in which they can
be protected.
Identify weaknesses in the mobile platform regarding cryptography, for example SSL/TLS key
chain is vulnerable to key substitution attacks, identify methods for thwarting such attacks
(certificate pinning). Identify that mobile device are not very good at producing random
4
material, student should suggest a method for increasing the randomness of numbers. One
possible solution is to generate a 128 bit numbers one on the device and one on the web
server and then XOR then together on the device to create a more random secret.
Research and identification in the secure containerisation of mobile application code would
distinguish students – i.e. deriving secrets using PBKDF2 or similar rather than storing a secret
on the handset.
5
Infrastructure
Scenario
During the development of the Banana Telecommunications Mobile Application, the
programme team has identified a new hardware based appliance that will undertake TLS deep
packet inspection of TCP packets containing XML and SOAP messaging, and will therefore have
a requirement store high value cryptographic keys.
The device will be deployed within the firm’s DMZ. The DMZ has zones dedicated to:




Management and monitoring
Presentation layers
Application layers
Storage layers.
Before the product can be used by the programme team must make arrangements for the
product to be added to Banana Telecommunications Plc’s approved products list.
Your Task
Develop a baseline standard that the product must conform to (1500 words):
1. Identify the industry standards and certifications that you would expect a product such
as this to conform to.
2. Identify the security requirements that you would expect this device to meet:
a) Event logging
b) Authentication
c) Crypto key storage (HSMs).
Resources
In order to complete this work, you need to use the following resources:





Security Engineering (Ross Anderson)
ISO 27001
ISC2 – CISSP CBT
NIST
EAL Common Criteria





Students should identify FIPS levels as a standard for HSMs.
Students should identify the common criteria and EAL levels.
The device should have more than one network interface.
The device should be EAL 4 or above and FIPS-140-2-L3 compliant
Students should identify suitable equipment that fits their standard, and select a
preference stating why.
Solutions
6
PBL 3 Problem Statement: Cryptography
Scenario
During the development of the Banana Telecommunications Mobile Application, the lead
software developer has asked you to provide advice and guidance on the development of a
suitable encryption scheme for the protection of sensitive data at rest.
The data includes:







Text messages that the customer has sent [160 characters]
Passwords and codes (secrets) [30 characters]
Bank account details name [20 characters]
Bank account details sort code [6 characters]
Bank account details account number [12 characters]
Card number (PAN) [16 characters]
CCV [5 characters]
The developer has advised you that the information will be stored in a SQL database that is
hosted on a hypervisor within the firm’s strategic data centre. The firm has suffered from
historical thefts of sensitive customer data, which is suspected to have been facilitated by
internal infrastructure support staff. It is therefore important that the data cannot be
decrypted by the maintenance staff including the DBA.
The developer is thinking of using 2 Key Triple DES in ECB mode, with no padding as he has
some sample code that he can re-use.
Your Task
Write a advice and guidance report to developer (2500 words)





Identify which information should be encrypted and state why.
Identify which information must not be stored.
Evaluate the suitability of the chosen encryption algorithm for the task and where
applicable suggest an alternative. During explain the attacks that could be leveraged
against cryptographic algorithms.
Identify the tasks required for the secure implementation of cryptography, including:
o Key storage
o Key management (rotation, retirement).
Suggest alternatives to the developer writing the encryption routine (can this be done
by an off the shelf product – for example Oracle or MS SQL – if so how?).
Resources







Security Engineering (Ross Anderson)
ISO 27001
ISC2 – CISSP CBT
NIST
EAL Common Criteria
PCI-DSS Standards and supplemented documentation
Vendor documentation Oracle and Microsoft relating to TDE.
Solution
Students should be able to identify which information is required to be encrypted or not by
reviewing the PCI-DSS standards. In addition, authentication secrets must always be encrypted.
The CVV number must never be stored.
The DES ECB encryption algorithm is vulnerable as it always gives the same cipher text for the
same given plain text. Therefore students should advise on a different algorithm. Distinguished
7
students will identify ‘strong cryptography’ within the PCI documentation glossary, and will
advise the use of AES in CBC mode.
Students should be able to advise on various cryptographic attacks:



Known plain text attack
Chosen plain text attack
Adaptive chosen-ciphertext attack
Cryptography is only as secure as the key, so students should identify the controls needed to
protect the key, the following are all good examples given:



Hardware security models
Software security containers such as operating system key chains and stores
Dual authentication (four eyes authentication) where by an encrypting secret is split
between two individuals.
Students should advise the developer on the need to rotate keys, and key management. How
will access to data be maintained after the key has been changed?
Distinguished students will evaluate the business need for encryption over the developers
desire to implement their ‘home brew’ cryptography solution. It might be better for the
student to advise the use of Transparent Database Encryption; both Oracle and Microsoft have
implementations of this technology, and it answers many of the complexities relating to key
rotation. Distinguished students will discredit the use of a ‘developer implementation’ in
favour of an off the shelf product such as Oracle, and will identify the operational controls
required to implement the Oracle solution correctly (i.e. scripts for enabling it, testing it,
changing the key, different types of encryption, how to protect the master secret etc).
8